Jump to content

Why does $session->login() require $session->redirect()?

thetuningspoon

By thetuningspoon
in API & Templates

 Share

Recommended Posts

thetuningspoon Hero Member

thetuningspoon

Posted
Posted

We're working on building a front end login form and the programmer I'm working with discovered that after the form is submitted and the post values are used to log the user in with $session->login(), $user->isLoggedin() still returns false until after the page is physically reloaded, changed, or $session->redirect() is used in the code. Maybe it's just late and I'm not thinking straight, but what is the reason for this?

horst Hero Member

horst

Posted
Posted

The reason could be that, at the point when you use $session->login() (in your template-file ?) the variable $user already is populated. And it can't be changed automagically when you do a call to $session->login().

You may use something like:

    $u = $session->login($username,$pass);  // try to login a user
    if($u) {                                // if login was successful $u holds a user object
        $user = $u;                         // repopuplate the $user variable with the new user
    }

// .. and then the rest of your code :
    if( $user->isLoggedIn() ) {
  • Like 2
Harmster Sr. Member

Harmster

Posted
Posted

My idea (And don't take my words for it) is:

The session needs to be re initialized and the credentials used must be set in order to generate other dependancies like the $user object.

I took a look in the method in the $session class and you can see that a cookie is generated and some other things are set.

Code for reference: https://github.com/ryancramerdesign/ProcessWire/blob/03387f8283d518e9cc405eff8f05cd6a5bf77c4c/wire/core/Session.php#L257

public function ___login($name, $pass) {

		if(!$this->allowLogin($name)) return null;

		$name = $this->fuel('sanitizer')->username($name); 
		$user = $this->fuel('users')->get("name=$name"); 

		if($user->id && $this->authenticate($user, $pass)) { 

			$this->trackChange('login'); 
			session_regenerate_id(true);
			$this->set('_user_id', $user->id); 
			$this->set('_user_ts', time());

			if($this->config->sessionChallenge) {
				// create new challenge
				$challenge = md5(mt_rand() . $this->get('_user_id') . microtime()); 
				$this->set('_user_challenge', $challenge); 
				// set challenge cookie to last 30 days (should be longer than any session would feasibly last)
				setcookie(session_name() . '_challenge', $challenge, time()+60*60*24*30, '/', null, false, true); 
			}

			if($this->config->sessionFingerprint) {
				// remember a fingerprint that tracks the user's IP and user agent
				$this->set('_user_fingerprint', $this->getIP(true) . $_SERVER['HTTP_USER_AGENT']); 
			}

			$this->setFuel('user', $user); 
			$this->get('CSRF')->resetToken();

			return $user; 
		}

		return null; 
	}
  • Like 3
ryan Hero Member

ryan

Posted
Posted

Both guys here are correct. The session needs to be regenerated with a new session ID and some new cookies need to be set, etc. Redirecting after successful login ensures you are dealing with the new and authenticated session and $user, ready to work with. 

  • Like 3
Craig Sr. Member

Craig

Posted
Posted

To build on top of Ryan's response, redirecting is not just sensible to do on login, but whenever you have forms. The wikipedia page on the Post/Redirect/Get pattern explains it much better than what I can - it's definitely worth the read :)

  • Like 4

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...